US Cities Exposed in Shodan

An in-depth analysis of Shodan data reveals how some of the biggest US cities fare in terms of exposed cyber assets, what this means in terms of security, and how home users and organizations can protect their data.

Shodan is an online search engine that catalogs cyber assets or internet-connected devices. Many cyber assets are exposed in Shodan for a number of reasons, including poor configuration. This level of exposure can become a serious security concern when hackers take advantage of them to steal data, launch ransomware or distributed denial-of-service (DDoS) attacks, or gain entry into networks.

Using Shodan data, Trend Micro researchers Numaan Huq, Stephen Hilt, and Natasha Hellberg assess which devices, servers, and critical sectors in the US are the most exposed. Affected parties can use this information when implementing the necessary security measures that will better protect their data and assets from future compromise.

EXPOSED DEVICES

Exposed devices
  • Webcams
  • NAS Devices
  • Routers
  • Printers
  • Phones
  • Exposed Media Devices

Webcams

Webcams are attractive targets for attackers not only because they can be used for surveillance but also because many webcams don’t come with an auto-update function. This means they are rarely patched and can be easily exploited. Houston, Texas is one of the biggest US cities with the most number of exposed webcams, while GeoVision GeoHTTPServer is the most exposed product.

 
GeoVision GeoHttpServer for webcams

D-Link DCS-930L webcam http interface

Avtech AVN801 network camera

NAS Devices

NAS devices are popular solutions for backing up and storing data, as well as sharing files in collaborative work environments. Compromised NAS devices can lead to potential data theft and loss. Although there are relatively few exposed NAS devices in the US, most of them are located in Phoenix, Arizona. The most exposed NAS device is the Seagate GoFlex SSHD.

 
Seagate GoFlex NAS device sshd

Synology DiskStation NAS ftpd

Adaptec/IBM ServeRAID Management http config

Mediabolic http config

Routers

Despite manufacturers' efforts to release firmware upgrades and security patches for their routers, only a few users ever really install these fixes. These make routers exposed and vulnerable. Compromised routers can be abused to steal credentials, redirect users to malicious sites, or generate network traffic in DDoS attacks. Cisco routers, which dominate the Shodan results, are typically installed by Internet service providers (ISPs) in customers’ homes. Houston, Texas has the most number of exposed routers.

 
Cisco router telnetd

Linksys wireless-G WAP http config

DD-WRT milli_httpd

MikroTik router ftpd

D-Link DLS-2750U ftp firmward update

Printers

Printers can be a treasure trove of information for attackers seeking to go much deeper into a network or steal and sell insider information. An office printer, for example, handles confidential documents containing financial, customer, and sales data, as well as intellectual property. Los Angeles, California has the most number of exposed printers; Debut embedded HTTPD is the most exposed product.

 
Debut embedded httpd

HP-ChaiSOE

Brother/HP printer ftpd

Allegro RomPager

HP LaserJet CP1205nw or P1606 httpd config

HP JetDirect ftpd

Phones

Many companies are switching to voice over internet protocol (VoIP) phones because they make calling overseas cheaper; this is why Free Private Branch Exchange (FPBX) dominate Shodan results. Phones can be compromised to disrupt voice communications or eavesdrop on conversations. San Jose, California has the highest concentration of unsecured phones in the US.

 
FPBX

VoIP phone

VoIP adapter

Telecom-misc

Phone

Exposed Media Devices

Most media devices found on Shodan are digital video recorders (DVRs). DVRs can be security risks if attackers can access saved or live surveillance footage, or abuse them for lateral movement in a network. Chicago, Illinois has the most number of exposed DVRs, while TiVo To Go HTTPD is the most exposed product.

 
TiVo To Go httpd

Panasonic DVR slinger httpd config

Dedicated Micros Digital Sprite 2 DVR telnetd

AMX NetLinx A/V control system ftpd



EXPOSED SERVERS AND DATABASES

Exposed Servers
  • Web Servers
  • Email Servers
  • MySQL
  • PostgreSQL
  • MongoDB
  • MS-SQL
  • Medical PACS
  • Medical EHR

Web Servers

Web servers are Internet-facing by design and are riddled with vulnerabilities, which attackers can take advantage of. A compromised Web server can be used to redirect visitors to malicious websites, or host malicious content and illegal data. Apache HTTPD type is the most exposed product, while Los Angeles, California has the most number of exposed web servers.

 
Apache httpd

nginx

Microsoft IIS httpd

Email Servers

Email servers (especially those used by organizations handling critical data) provide a wealth of confidential information that cybercriminals can monetize. Attackers can also target these servers to disrupt email services and severely cripple business operations. Los Angeles, California has the most number of exposed email servers, while Exim SMTPD is the most exposed product.

 
Exim smptd

Postfix smtpd

Sendmail

Microsoft ESMTP

MySQL Databases

Databases make for choice targets given the variety of sensitive information they store such as financial, customer, sales, and inventory data; PII; credentials; and other information used by business applications.

From the Shodan data, we found that MySQL was the most popular database exposed on the Internet. Most of these exposed databases are concentrated in Los Angeles, California.

PostgreSQL Databases

Databases make for choice targets given the variety of sensitive information they store such as financial, customer, sales, and inventory data; PII; credentials; and other information used by business applications.

Chicago tops the list as one of the biggest cities with the most number of exposed PostgreSQL databases.

MongoDB Databases

Databases make for choice targets given the variety of sensitive information they store such as financial, customer, sales, and inventory data; PII; credentials; and other information used by business applications.

MongoDB returns banner information, including stored table names. This makes it easy for attackers to figure out what type of data is stored in the exposed MongoDB databases.

MS-SQL Databases

Databases make for choice targets given the variety of sensitive information they store such as financial, customer, sales, and inventory data; PII; credentials; and other information used by business applications.

Compared to other US cities, Los Angeles, California has the highest concentration of exposed MS-SQL databases.

Medical PACS Databases

A picture archiving and communication system (PACS) database is mainly used in the medical industry for economic storage and convenient access to images taken for various medical procedures like CT scan, X-Ray, MRI, or ultrasound. If these records ever fall into the wrong hands, they can be used for defamation, blackmail, or extortion. Chicago, Illinois has the most number of exposed PACS servers, while Apache HTTPD is the most exposed server software.

 
Apache httpd

Microsoft IIS httpd

nginx

Medical EHR Databases

An electronic health record (EHR) database is mostly similar to PACS and is often used interchangeably. It stores patient data such as medical histories, laboratory test results, and insurance information. Houston, Texas has the most number of exposed EHR databases, while Apache HTTPD is the most exposed server product. Apache has plenty of known vulnerabilities that attackers can exploit, giving them access to the said data. The volume of available patient health records for sale in Deep Web marketplaces may indicate regular compromise of such systems.

 
Apache httpd

Microsoft IIS httpd

nginx

Apache Tomcat/Coyote JSP engine



EXPOSED CRITICAL SECTORS

Exposed Critical Sectors
  • Government
  • Emergency Services
  • Healthcare
  • Utilities
  • Finance
  • Education

Government

Lafayette, Louisiana and Saint Paul, Minnesota have more exposed government cyber assets than the US capital, Washington DC. Firewalls make up almost half of the sector’s most exposed devices.

 
Firewall
WAP
Specialized
Webcam
Router
Security-misc
Printer
Switch
VoIP phone
Print server

Emergency Services

Houston, Texas and Lafayette, Louisiana are the top two cities with the most number of exposed cyber assets, with firewalls (55.65%) and printers (25%) making up the bulk of it.

 
Firewall
Printer
Router
Webcam
WAP
Switch
Security-misc
Specialized
PBX
Terminal Server

Healthcare

The US healthcare sector has the least number of exposed cyber assets compared to the other sectors, with firewalls (69.10%) being the most exposed. Despite this, however, Shodan data reveals multiple unpatched servers running in healthcare organizations.

 
Firewall
Security-misc
Router
Specialized
Printer
Switch
WAP
Webcam

Utilities

Most exposed cyber assets in this sector are located in small cities and towns instead of big cities. Clarksville, Tennessee has the most number of exposed assets in this sector, while wireless application protocol (WAP) is the most exposed cyber asset.

 
WAP
Firewall
Webcam
Router
Security-misc
Specialized
Storage-misc
Printer
PBX
VoIP phone

Finance

Shodan found very few exposed printers and webcams, as well as very few unpatched vulnerable servers running in the US financial sector. New York City has the highest number of exposed financial cyber assets. Like with the other sectors, firewalls are the most exposed devices.

 
Firewall
Security-misc
Router
PBX
WAP
Switch
Specialized
Printer
VoIP phone
Webcam

Education

With 65,000, Philadelphia, Pennsylvania has the most number of exposed cyber assets in the education sector. Like the rest of the sectors printers, firewalls, and webcams made the bulk of these exposed devices, along with multiple unpatched servers.

 
Printer
Firewall
Specialized
Webcam
Print Server
Router
Switch
Media Devices
WAP
VoIP Phone

It must be noted that while we say ‘unsecured’ and ‘exposed’, this do not necessarily mean that the listed cyber assets are compromised, rather they are simply poorly configured and are thus vulnerable. As such, there may still be time for the owners of these unsecured cyber assets to secure them and prevent further attacks.

For complete and detailed information on this research, as well as up-to-date and actionable steps organizations and even home users can take to better secure their networks and connected devices, you can check out our research papers below.

DOWNLOAD FULL REPORTS

Cities Exposed Industries


ERRATUM: The article and research paper mistakenly mentioned Lafayette, Indiana when published. It has been corrected to Lafayette, Louisiana.
HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.